summaryrefslogtreecommitdiffstats
path: root/package/apache/apache.hash
Commit message (Collapse)AuthorAgeFilesLines
* package/apache: security bump to version 2.4.38Peter Korsgaard2019-01-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security vulnerabilities: *) SECURITY: CVE-2018-17199 (cve.mitre.org) mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused. [Hank Ibell] *) SECURITY: CVE-2018-17189 (cve.mitre.org) mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data. [Stefan Eissing] *) SECURITY: CVE-2019-0190 (cve.mitre.org) mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052. [Joe Orton] For more details, see the CHANGES file: https://www.apache.org/dist/httpd/CHANGES_2.4.38 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: bump version to 2.4.37Bernd Kuhls2018-10-241-1/+1
| | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.37 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: security bump to version 2.4.35Bernd Kuhls2018-09-301-2/+2
| | | | | | | | | | | Fixes: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E Release notes: https://lists.apache.org/thread.html/5d604774652fc073b1b161584d0d1efbdba7898c40ae2e2334725e5f@%3Cannounce.httpd.apache.org%3E Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: bump version to 2.4.34Bernd Kuhls2018-07-171-2/+3
| | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.34 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: security bump to version 2.4.33Bernd Kuhls2018-03-241-2/+3
| | | | | | | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.33 Fixes CVE-2017-15710, CVE-2018-1283, CVE-2018-1303, CVE-2018-1301, CVE-2017-15715, CVE-2018-1312, CVE-2018-1302. Added license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: bump version to 2.4.29Bernd Kuhls2017-10-241-2/+2
| | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.29 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: bump to version 2.4.28Bernd Kuhls2017-10-061-2/+2
| | | | | | | | | Fix for CVE-2017-9798 is included in this release, so this patch is removed. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> [Update commit log: not a security bump] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* package/apache: bump version to 2.4.27Bernd Kuhls2017-07-111-2/+2
| | | | | | | | Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* apache: security bump to version 2.4.26Peter Korsgaard2017-06-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. While we're at it, use the upstream sha256 checksum instead of sha1. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* package/apache: security bump version to 2.4.25Bernd Kuhls2016-12-221-1/+1
| | | | | | | | | | | Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.25 Fixes CVE-2016-8740, CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: security bump to version 2.4.23Bernd Kuhls2016-07-071-2/+2
| | | | | | | | | Fixes CVE-2016-4979: TLS/SSL X.509 client certificate auth bypass with HTTP/2 http://httpd.apache.org/security/vulnerabilities_24.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache: bump to version 2.4.20Gustavo Zacarias2016-04-131-2/+2
| | | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* package/apache: bump version to 2.4.18Bernd Kuhls2015-12-191-2/+2
| | | | | Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache: bump to version 2.4.17Vicente Olivert Riera2015-10-141-2/+2
| | | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* package/apache: security bump to version 2.4.16Bernd Kuhls2015-07-161-2/+2
| | | | | | | | Fixes CVE-2015-3183, CVE-2015-3185, CVE-2015-0253, CVE-2015-0228 http://marc.info/?l=apache-httpd-announce&m=143704705330655&w=2 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* apache: new packageBernd Kuhls2015-02-221-0/+2
[Thomas: - Don't explicitly pass CC_FOR_BUILD and CFLAGS_FOR_BUILD, those are already part of the default environment passed by the autotools-package infrastructure. - Explicitly disable Lua and LuaJIT support to avoid mis-detection of host installation. - Explicitly handle the optional support of libxml2, OpenSSL and zlib. Especially, the absence of explicit handling for libxml2 was causing a build failure due to the host libxml2 being detected. - Remove /usr/manual and /usr/build from the target. This saves 20+ MB of target space.] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
OpenPOWER on IntegriCloud